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We propose Kleene algebra with domain (KAD), an extension of Kleene algebra with two equa- 
tional axioms for a domain and a codomain operation, respectively. KAD considerably augments 
the expressiveness of Kleene algebra, in particular for the specification and analysis of state tran- 
sition systems. We develop the basic calculus, discuss some related theories and present the 
most important models of KAD. We demonstrate applicability by two examples: First, an alge- 
braic reconstruction of Nocthcricity and wcU-foundedness; second, an algebraic reconstruction of 
propositional Hoare logic. 
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Reasoning about Programs — assertions; invariants; logics of programs; mechanical verification; 
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1. INTRODUCTION 

State transition systems are often modelled in a bipartite world in which proposi- 
tions and actions coexist. Propositions express static properties of states, while ac- 
tions relate states to model their dynamics. Propositions are usually organized in a 
Boolean algebra, whereas the sequential, non-deterministic and iterative behaviour 
of actions is often ruled by a Kleene algebra. Reasoning about state transition sys- 
tems requires migration between the two parts of the world. This can be modelled 
by two mappings. One sends actions to propositions in order to express properties 
of actions. The other sends propositions to actions in order to model proposi- 
tions as tests, measurements or observations on states, hence as state-preserving 
actions. This is needed in particular for programming constructs like conditionals 
or while-loops. 

There are two prominent, but complementary realizations of this two- world pic- 
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ture: Propositional dynamic logic (PDL) and its algebraic variants (see, among 
others, [Harel et al. 2000; Kozen 1979b; Nemeti 1981; Pratt 1988; 1991; Trnkova 
and Rcitcrman 1987]) and Klccnc algebra with tests (KAT) [Kozen 1997]. In PDL, 
only propositions are first-class citizens. This gives the approach a logical flavor. 
While equivalence of propositions is directly expressible, actions can only be ob- 
served indirectly through propositions; the algebra of actions is implicitly defined 
within that of propositions. However, both mappings are present: modal operators 
from actions and propositions into propositions and test operators from propo- 
sitions into actions. This approach is suited for an extensional world, in which 
actions are completely determined by their input/output behaviour, for instance, 
when they are modelled as set-theoretic relations. Then, the use of modal operators 
allows a very versatile and intuitive reasoning. In KAT, only actions are first-class 
citizens. This gives the approach an algebraic flavour. While equivalence of actions 
is directly expressible, propositions can only be observed by considering them as 
actions; the algebra of propositions is embedded as a subalgebra into the algebra 
of actions, which is a Kleene algebra. Thus only the mapping from propositions 
to actions is present. The overloading of syntax for propositions and actions leads 
to particularly economical specifications and proofs. KAT does not make any ex- 
tensionality assumptions and therefore admits a rich class of models beyond the 
relational one^. Using PDL or KAT, many properties of state transition systems 
can succinctly be expressed and analyzed. Each approach has its particular advan- 
tages and merits. Note, however, that PDL is EXPTIME-complete [Harel et al. 
2000], while the equational theory of KAT is PSPACE-complete [Kozen and Smith 
1996]. 

We propose Kleene algebra with domain (KAD) as an extension of KAT and as 
a reconciliation of KAT and PDL with equal opportunities for propositions and 
actions. We believe that KAD not only combines the particular advantages of both 
previous approaches, but also offers additional flexibility and symmetry and yields 
new structural insights. In particular, beyond this reconciliation, our algebraic 
abstraction of the domain operation yields a uniform view of hitherto separate 
approaches to program analysis and development: formalisms based on modal logic 
such as PDL, formalisms based on algebra such as KAT, set-based formalisms such 
as B [Abrial 1996] and Z [Spivey 1988], where domain is extensively used, and 
semantic approaches based on predicate transformers [Dijkstra 1976]. As in KAT, 
we embed propositions into actions. As in PDL, we also provide a mapping from 
actions to propositions: the domain operation. Adding domain to KAT is only 
natural. Relations are the standard model for state transition systems in KAT and 
PDL. Domain is probably the most natural "modal operator" for relations and KAD 
supports abstract algebraic reasoning with it. Domain has already been defined 
algebraically in extensions of Kleene algebra like quantales and relation algebras 
(cf. [Aarts 1992; Desharnais and MoUer 2001; Desharnais et al. 2000; Schmidt 
and Strohlein 1993]). But there is no straightforward transfer to KAT. Again, 
KAD offers several benefits. In opposition to relation algebra, it focuses entirely on 
the essential operations for state transition systems. Compared with quantales, our 
approach is entirely first-order and therefore better suited for automated reasoning. 



Extensionality is studied under the name separability in the context of PDL [Kozen 1979a]. 
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Here, our main emphasis is on motivating the definitions, developing the basic 
calculational aspects and discussing the most interesting models of KAD. We also 
provide two examples that show its applicability. Many interesting questions, for 
instance concerning completeness, representability, expressiveness, complexity, the 
precise relation to modal algebras and a more extensive investigation of applications 
are postponed to further publications. More precisely, our main results are the 
following. 

— We propose finite equational axiomatizations of a domain and codomain operator 
for certain idempotent semirings and Kleene algebras. 

— We develop a basic domain calculus for KAD. Our axioms capture many natural 
properties of domain in the relational model and provide new structural insight 
into the abstract algebraic properties of domain. 

— We show that KAD is well-behaved on the standard models of Kleene algebra. 

— We define preimage and image operators in KAD. These are very interesting for 
the specification and analysis of state transition systems and programs. 

— We show that Noethericity and well-foundedness are expressible in KAD. We 
derive properties of these notions. 

— We show that KAD subsumes propositional Hoare logic; moreover, we argue that 
it can serve as the core of abstract axiomatic semantics for imperative program- 
ming languages. 

— We derive implementation schemata for efficient reachability algorithms for di- 
rected graphs within KAD. 

Besides these main results there are the following interesting contributions. We 
show independence of the domain and codomain axioms of KAD. We discuss their 
compatibility with those for quantales and relation algebra. We provide transla- 
tions from a class of KAD-expressions to KAT without domain. We introduce two 
notions of duality that enable a transfer between properties of domain and those 
of codomain. We show that KAD is not a finitely based variety, whereas all its 
subalgebras of propositions and all idempotent semirings with domain are. 

The remainder of this text is organized as follows. Section 2 introduces idempo- 
tent semirings, Kozen's Kleene algebra, some extensions and the standard models 
for these structures. Section 3 introduces idempotent semirings with tests, KAT 
and again the standard models. Section 4 presents an equational axiomatization 
of domain for idempotent semirings. We show independence of the axioms, discuss 
several extensions and provide some examples for the standard models. Moreover, 
we outline a basic domain calculus for idempotent semirings. Another important 
concept, locality of domain and codomain, paves the way to an incorporation of 
propositional dynamic logic. Section 5 presents two ways of basing an equational 
axiomatization of codomain for idempotent semirings on that of domain. In Sec- 
tion 6, image and preimage operators are derived from the domain and codomain 
operators. In Section 7 we derive properties of domain and codomain in KAD. 
In connection with the Kleene star operator, they allow an abstract treatment of 
reachability in directed graphs and state transition systems. Section 8 contains 
some simple metaresults on KAD. Section 9 algebraically reconstructs Noethericity 
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and well-foundedness in KAD. Section 10 shows that propositional Hoare logic is 
subsumed by KAD. Section 11 draws conclusions and points out further work. 

2. IDEMPOTENT SEMIRINGS AND KLEENE ALGEBRA 

In this section, wc introduce idenipotent semirings, Kozen's variants of Kleene alge- 
bras and certain related structures such as lattice-ordered monoids and quantales. 
We also present some important models of Kleene algebra, such as the relational 
model, the language model, the path model, the (min, -I-)- and (max, +)-models 
and some of the small finite Kleene algebras of Conway. 

Kleene algebras are a class of algebras that axiomatize the regular operations of 
addition, multiplication and Kleene star as they arise in formal languages and in 
the analysis of state transition systems and programs. Traditionally, there are two 
main approaches to Kleene algebra, one based on semirings, the other based on 
lattices. 

2.1 Semirings 

A semiring is a structure {A, •, 0, 1) such that {A, +, 0) is a commutative monoid, 
(A, -,1) is a monoid, multiplication is left and right distributive with respect to 
addition and is an annihilator with respect to multiplication {a ■ — — ■ a). 
We call a semiring trivial if = 1, since then for all a G ^ 

a = a- l = a- = 0, 

i.e., A — {0}. Therefore, henceforth we identify semirings with non-trivial semi- 
rings. 

To abbreviate notation, we write ab instead of a ■ b and stipulate that multipli- 
cation binds stronger than addition. 

A semiring is idempotent (an i-semiring) if addition is idempotent. The class of 
idenipotent semirings is denoted by IS. 

The relation < defined on an i-semiring A by 

a<b^a + b = b (1) 

for all a,b G A is a, partial ordering, in fact the only partial ordering on A for 
which < a for all a G A such that addition and multiplication are (left and right) 
monotonic with respect to it. For that reason it is called the natural ordering on A. 
By (1), inequalities can be understood as abbreviations for equations. We therefore 
use the term equation freely for both kinds of expressions. 

Obviously, every i-semiring is a semilattice with respect to the natural ordering 
with least element and addition as join. Thus 

a<cAb<C'^a + b<c. (2) 

In calculations with partial orders, we often appeal to the principles of indirect 
inequality and indirect equality. Instead of a < 6 we show Vc.c<a=>c<6 or 
\fc.b<c^a<c. Likewise, a = b can be proved by showing \/c.c<a-i^c<b or 
yc.b<c<F^a<c. 
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2.2 Kozen Semirings 

A Kozen semiring (a K-semiring) [Kozen 1994a] is a structure [A^ +, ■, *, 0, 1), such 
that (^,+,-,0,1) is an i-semiring, a*b is the least pre-fixed point of the function 
Xx.h + ax and ba* is the least pre-fixed point of \x.h + xa. Formally, the Kleene 
star * satisfies the equations 

1 + aa* < a* , 

l + a*a<a*, (*-2) 

and the Horn formulas 

+ ac < c a*b < c, (*-3) 
b + ca <c^ba* <c, (*-4) 

for all a,b,c € A. The class of K-semirings is denoted by KA. 

The expressions a*b and ba* are uniquely defined by (*-!) and (*-3), and (*-2) 
and (*-4), respectively. We now recall some further standard properties of K- 
semirings (cf. [Kozen 1994a]). Most of them are also familiar from formal language 
theory [Eilcnberg 1974]. 

Lemma 2.1. Let A e KA. For all a, b E A, 

l<a*, (3) 

a*a*=a*, (4) 

VieN.a*<a*, (5) 

a = a , (d) 

{ab)*a = a{ba)* , (7) 

(a + b)* =a*iba*)*, (8) 

a*b = b + a*ab = b + aa*b. (9) 

For all a,b,c G A, 

a < 1 ^ a* = 1, (10) 

a<b^a*<b*, (11) 

ac<cb^a*c<cb\ (12) 

ca<bc^ ca* < b*c. (13) 

2.3 Lattice-Ordered Monoids and Quantales 

A lattice- ordered monoid (an l-monoid) is a structure (A, +,□,-, 1), such that 
(A, +, n) is a lattice, {A,-,l) is a monoid and left and right multiplication are 
additive. 1-monoids are extensively studied in [Birkhoff 1984]. An l-monoid is 
bounded if it has a least element and a greatest element T. It is complete if the 
underlying lattice is. A quantale [Mulvey 1986] or standard Kleene algebra [Conway 
1971] is a complete l-monoid in which left and right multiplication is universally 
additive. Quantales have been investigated in contexts like the logic of quantum 
mechanics [Mulvey 1986] and algebraic models of certain linear logics [Yetter 1990]. 
D-monoids or b-monoids are 1-monoids whose lattice reducts are distributive or 
Boolean, respectively. A d-quantale and b-quantale, respectively, is a quantale 
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whose lattice reduct is distributive, and Boolean, respectively. Remembering that 
a Boolean lattice is a complemented distributive lattice, we use the term Boolean 
algebra as a synonym, b-monoids and b-quantales have been studied, for instance, 
in [Desharnais and MoUer 2001; Desharnais et al. 2000]. Also the sequential alge- 
bras of [Hoare and von Karger 1995] are particular b-quantales. In quantales, the 
Knaster-Tarski theorem guarantees that the Kleene star, which is again defined as 
the least pre-fixed point of a monotonic function, always exists. This is in contrast 
to KA, where completenes of the underlying semilattice is not assumed. 

The main results of this paper are entirely based on i-semirings and not on 
quantales. 

A first reason for this decision is that i-scmirings are more general than quan- 
tales. Every quantale is an 1-monoid; every K-semiring and every 1-monoid is an 
i-semiring. K-semirings are first-order structures whereas, due to completeness, 
quantales arc essentially higher-order. A certain price we have to pay is that with- 
out the assumption of completeness we cannot freely use Galois connections as a 
very elegant means of defining certain functions, as would be the case in quantales. 

A second reason is that in b-modules and b-quantales there is a notion of com- 
plementation. When reasoning about programs, elements of a b-monoid represent 
programs as input /output relations. Hence the complement of such an element 
relates all states that are not in the input /output relation. While this is alright for 
sequential programs, this concept meets severe difficulties when it comes to parallel 
programs and IS has the advantage of avoiding this concept. 

2.4 Example Structures 

The classes IS and KA are quite rich. We now present some standard examples. We 
will later show that the domain and codomain operations are well-behaved on all 
these structures. In the first examples, we present some of the finite K-semirings 
with at most 4 elements from Conway's book (cf. [Conway 1971], p. 101). We will 
later use them, in particular, as counterexamples. 

Example 2.2. 

1 


Consider the structure A2 = ({0, 1}, +, •, 0, 1) with addition and multiplication de- 
fined by the tables 



+ 





1 







1 








1 











1 


1 


1 


1 





1 



Then A2 is an i-semiring, called the Boolean semiring, since -\- and ■ play the roles 
of disjunction and conjunction. A2 can uniquely be extended to a K-semiring by 
setting 0* ^ I* = I. □ 
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Example 2.3. 

a 
1 


Consider the i-semiring ~ ({a, 0, 1}, +, •, 0, 1) with addition and multiplication 
defined by the tables 



+ 





a 


1 







a 


1 








a 


1 














a 


a 


a 


a 


a 





a 


a 


1 


1 


a 


1 


1 





a 


1 



It can uniquely be extended to a K-semiring by setting 0* = 1* = 1 and a* = a. □ 
Example 2.4. 

1 

a 


Consider the i-semiring A\ ~ ({a, 0, 1}, +, •, 0, 1) with addition and multiplication 
defined by the tables 



+ 





a 


1 







a 


1 








a 


1 














a 


a 


a 


1 


a 








a 


1 


1 


1 


1 


1 





a 


1 



It can uniquely be extended to a K-semiring by setting a* = 0* = 1* = 1. □ 

Example 2.5. Consider the i-semiring = ({a, 0, 1}, +, •, 0, 1) which is like 
A§ except for the value of a ■ a: 



+ 





a 


1 







a 


1 








a 


1 














a 


a 


a 


1 


a 





a 


a 


1 


1 


1 


1 


1 





a 


1 



It can uniquely be extended to a K-semiring by setting a* = 0* = 1* = 1. □ 
Example 2.6. 

b 
1 
a 
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Consider the i-semiring A\ ~ ({a, b, 0, 1}, +, ■, 0, 1) with addition and multiplication 
defined by the tables 



+ 





a 


1 


b 







a 


1 


b 








a 


1 


b 

















a 


a 


a 


1 


b 


a 








a 


a 


1 


1 


1 


1 


b 


1 





a 


1 


b 


b 


b 


b 


b 


b 


b 





a 


b 


b 



It can be extended to a K-semiring by setting 0* = a* = 1* = 1 and b* = b. □ 
There are 18 four-element K-semirings, up to isomorphism. 

Example 2.7. Consider a set A and the structure REL(A) = (2^^^, U, o, 0, A), 
where 2^^^ denotes the set of binary relations over A, U denotes set union, o 
denotes relational product, denotes the empty relation and A denotes the identity 
relation {{a,a)\a E A}. 

Then REL{A) is an i-semiring with set inclusion as the natural ordering. It can 
be extended to a K-semiring by defining R* as the reflexive transitive closure of R 
for all R e REL(i?), that is, R* = |Jj>o R\ where R° = A and R'+^ =RoR\ 

We call REL(A) the relational i-semiring or K-semiring over A. □ 

Example 2.8. Let (A, +,-,0,1) be a semiring and Q be a finite set. Then the 
set A^^'^ can be viewed as the set of \Q\ x \Q\-matrices with indices in Q and 
elements in A. Now consider the structure MAT{Q, A) = [A^^"^ ,-\-,-,0,l) where 
+ and ■ are the usual operations of matrix addition and multiplication, and and 
1 are the zero and unit matrices. Then MAT((5, A) again forms a semiring, the 
matrix semiring over Q and A. M/KT{Q, A) is idempotent if A is. In this case, 
the natural order is the componentwise order. If the underlying semiring A admits 
infinite sums, also Q may be infinite. 

Taking A as the Boolean semiring yields another representation of REL(A) as 
MAT((5, A) in terms of adjacency matrices. 

If A is a K-semiring and Q is finite, then M/KT{Q, A) can be extended to a 
K-semiring (see [Conway 1971]) by partitioning a non-singleton matrix into sub- 
matrices a, b, c, d, of which a and d are square, and setting 

fabV _ ( f* f*bd* \ 

\c d) ^ y d*cf* d* + d*cf*bd* J ' 

where f = a + bd*c. □ 

Example 2.9. Let S* be the set of finite words over some finite alphabet S and 
consider the structure LAN(S) = (2^ ,U, .,0,{e}), where 2^ denotes the set of 
languages over S, and U denotes set union, L1L2 = {vw \ v 6 Li,w G L2}, where 
vw denotes concatenation of v and w, denotes the empty language and £ denotes 
the empty word. 

Then LAN(I]) is an i-semiring with natural ordering defined by language inclu- 
sion. It can be extended to a K-semiring by defining L* ~ {wiW2 ■ ■ . w„ | ri > 0, G 
L}. 

We call LAN(S]) the language i-semiring or K-semiring over S. Remember that 
U, . and * are often called regular operations and the sets that can be obtained 
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from finite subsets of S* by a finite number of regular operations are called regular 
subsets or regular events of S*. The equational theory of the rational subsets is 
also called the algebra of regular events. 

There is a natural homomorphism L from the term algebra over the signature 
of K-semirings generated by a set S onto the algebra REG(S]) of regular subsets of 
S*, given by L{a) = {a} for each a S L{a + 6) = L{a) U L(h) and L{a ■ h) ~ 
L{a).L{b). Kozen [Kozen 1994a] has shown that REG(E) is the free K-semiring on 
the generators S. □ 

Example 2.10. Consider a set Yi of vertices (or states). Then subsets of Yi* can 
be viewed as sets of possible graph paths (or state sequences in a transition system). 
The partial operation of join or fusion product of elements of S* is defined as 

eixie^e (14) 
£ ix: {y.t) is undefined, (15) 
(s.x) IX £ is undefined, (16) 

, \ ^ ( ~ f ■5-2;. i when x ~ y, 

1 undefined otherwise 

for all Sjt G S* and x,y € Y. It describes the gluing of paths at a common end 
point. This operation is extended to subsets of E* by 

Six]T={st^t\s(ES/\teTAs>iit defined}. 

Then PAT(I]) = (2^ ,U,txi,0,I] U {£}) is an i-semiring that we call the path i- 
semiring over S. □ 

Example 2.11. Using matrices over the language algebra we can also model 
labelled transition systems. Assume a set Q of states and a set E of labels. The 
matrices in MAT((5, LAN(E)) can be considered as recording possible sequences of 
labels ( traces ) that connect two states; if there is no possible transition between two 
states, the corresponding matrix element is the empty language. □ 

Example 2.12. The language example can easily be generalized to an arbitrary 
monoid {A, ■, 1). Then (2"^, U, •, 0, {1}) is the free i-semiring over {A, -, 1). In par- 
ticular, multiplication (and star) are defined as in Example 2.9. □ 

Example 2.13. Set Noc = NU {oo} and define the operations min and + in the 
obvious way. Then the structure (min, +) = (Noo, rnin, +, cxd, 0) is an i-semiring, 
called the tropical semiring [Kuich 1997]. Its natural ordering is the converse of 
the standard ordering on Noo ■ Hence — the semiring multiplicative unit — is the 
largest element, so that by (10) (min, +) can uniquely be extended to a K-semiring 
by setting n* = for all n G Noo. O 

Example 2.14. Set N_oo = NU {— oo} and consider the structure (max, +) = 
(N_oo, max, +, — oo, 0) with operations defined in the obvious way. Then (max, +) 
is an i-semiring, called the max-plus semiring [Gaubert and Plus 1997]. Its natural 
ordering coincides with the standard ordering on N_oo- Unlike the tropical semiring, 
the max-plus semiring cannot be extended to a K-semiring. The reason is that for 
a > the set {a" | n G N} = {na | n g N} is unbounded, whereas, according to (5), 
it should have a* as an upper bound. □ 
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3. SUBIDENTITIES AND KLEENE ALGEBRA WITH TESTS 

We now take the first step towards the definition of domain and codomain opera- 
tions on IS. We discuss the subidentities of IS, KA and related structures. These 
are the elements that lie below the multiplicative unit. We also introduce idempo- 
tent semirings with tests and Klcenc algebras with tests. Finally, we discuss a few 
important models of these structures. 

As a motivation, consider the relational i-semiring from Example 2.7. Here, the 
domain of a relation is a set. Abstracting to arbitrary i-semirings, the domain 
operation should be a mapping from the i-semiring to some appropriate Boolean 
algebra. In the matrix representation for finite relations based on the Boolean 
semiring, obviously, a characteristic matrix can be associated with each set A. 
Setting n = \A\, the empty set is characterized by the n x n zero matrix, the set 
A by the n x n unit matrix and all other sets by matrices smaller than the unit 
matrix. Obviously, there are 2" such matrices, which is also the number of subsets 
of A. Using this abstraction, we model domain and codomain in an i-semiring as 
an i-semiring endomorphism into the set of elements that are smaller than 1. We 
now take a closer look at the set of these elements. 

3.1 Subidentities 

An element a of an i-semiring A is a subidentity if a < 1. We denote the set of 
subidentities of A by sid(^). 

Lemma 3.1. The set of subidentities of an i-semiring forms an i-semiring. 

However, this subsemiring is usually too large for our purposes. In the relational 
i-semiring or in b- monoids, multiplication of subidentities is a meet operation and 
the set of subidentities is a Boolean sublattice (cf. Section 3.3). In i-semirings, this 
need not be the case. 

Lemma 3.2. Multiplication of subidentities in IS is a lower bound operation. 

Proof. Let A e IS and p,q <E sid(A). Then p = pi > pq < Iq = q. Thus pq is a 
lower bound of p and q. □ □ 

Lemma 3.3. Multiplication of subidentities in IS (in d-monoids, d-quantales) is 
not always idempotent. 

Proof. Consider the i-semiring A'^ from Example 2.4. Obviously, a is a subiden- 
titiy that is not multiplicatively idempotent. Since A^ is a chain, it is automatically 
a distributive lattice, hence a d-monoid. Since it is finite, it is automatically com- 
plete, hence a d-quantalc. The counterexample is minimal for all these structures. 

□ □ 

Consequently, multiplication of subidentities in IS is not in general a greatest 
lower bound operation. Additional properties are required to model sets, proposi- 
tions or tests in IS. 

Lemma 3.4. The set of multiplicatively idempotent subidentities of an i-semiring 
forms a bounded distributive lattice. 

Proof. Let isid(^) be the set of multiplicatively idempotent subidentities of 
A G IS. Wc first show that multiplication restricted to isid(A) coincides with the 
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greatest lower bound operation. By Lemma 3.2 it is a lower bound operation. Let 
p^q,r G isid(A) with r < p and r < q. Then r — rr < pq, whence pq is the greatest 
lower bound of p and q. Consequently, also 

pq = qp (18) 

for p^q & isid(A). 

We now show the closure properties of the subalgebra. 0, 1 G isid(A) is obvious. 
Let p, q e isid(A). Then 

{p + q){p + q) = PP + pq + qp + qq 

^p+{pnq) + {qnp) + q 
= p + q 

and, using (18), 

{pq){pq) =ppqq = pq- 

We now show that the sublatticc is distributive. The first distributivity law 

p{q + r) = pq + pr 
holds by the semiring laws. The second distributivity law 

p+ [qr) = (p + q){p + r) 

then follows from the first one by lattice algebra. 

Finally, the lattice is bounded, since 0, 1 G isid(A). □ □ 

Instead of using the set of all subidentitics, we choose another way (see also the 
discussion on page 18) that is conceptually much simpler and is introduced in the 
following subsection. 

3.2 Test-Semirings and Kleene Algebra with Tests 

Following Kozen's approach to Kleene algebra with tests, we say that a test semiring 
(a t-semiring) is an i-semiring A with a distinguished Boolean subalgebra test(A) 
of sid(A) with greatest element 1 and least element 0. We call test(A) the test 
algebra of A and say that A has tests. We denote the class of t-semirings by TS. 
A t-semiring is a Kt-semiring or Kleene algebra with tests if the t-semiring is also 
a K-semiring [Kozcn 1997]. The class of Kleene algebras with test is denoted by 
KAT. 

We will henceforth use letters a, 6, c, . . . for arbitrary semiring elements (actions) 
and the letters p,q,r,.. . for tests (propositions). Moreover, we denote by p' the 
complement of test p in test(A) and by pFl q the meet of p and q. 

Lemma 3.5. IS c TS. 

Proof. Let A G IS. If — 1 then the claim A G TS is trivially satisfied. 
Otherwise, let test(yl) = {0, 1} with p Li q = p + q, p n q = pq tor all p, q €z test A 
and 1' = 0, 0' = 1. This yields a Boolean subalgebra. □ □ 

We call t-semirings with test algebra {0, 1} discrete. 

Lemma 3.6. Let p,q e test(^) for some A G TS. 
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(i) pp^p. 
(a) pq= p\~\ q. 

Proof. By Lemma 3.2, pq < pFlq. 

(i) p ~ pi = p{p + p') ~ pp + pp' < pp + {p r\ p') = pp + ~ pp < pi ^ p. 

(ii) Similar to the first part of the proof of Lemma 3.4, using idempotence of tests. 

□ 

□ 

The following lemma collects some properties of TS which will be needed for com- 
puting with abstract image and preimage operations in Section 6. 

Lemma 3.7. Let A G TS with a e A and p,q e test(A). 

(i) The following properties are equivalent. 

pa < aq, 
aq' < p'a, 
paq' < 0, 
pa ~ paq. 

(ii) The following properties are equivalent. 

ap < qa 
q'a < ap' , 
q'ap < 0, 
ap = qap. 

Proof. We only show (i). The proofs of (ii) are symmetric. 

(1) pa < aq ^ aq' < p'a. 

aq' = laq' = {p + p')aq' — paq' + p'aq' < aqq' + p'a — aO + p'a = p'a. 

(2) aq' < p'a ^ paq' < 0. 

paq' < pp' a ~ Qa ~ Q. 

(3) paq' < ^ pa ^ paq. 

pa = pal = pa{q + q') = paq + paq' = paq. 

(4) pa = paq => pa < aq. 

pa = paq < aq. 

□ 



□ 
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3.3 Tests in b-Monoids 

When A is a b-monoid with uniquely defined complement a for each a ^ A, the set 
of subidentities is much better behaved. Now complements in sid(yl) can be defined 
as restrictions of complements in A, viz. as p' = 1 □ p. The properties 1' = 0, 
0' = 1, p + p' = 1, pp' = are easily verified. Using the restricted complement we 
can show that all subidentities are multiplicatively idempotent, since 

p = lp= {p + p')p = PP + p'p = pp + ~ pp. 

Consequently, pq = p Fl q and the whole set sid(j4) is a Boolean subalgebra of A 
(cf. [Dcsharnais and MoUer 2001]). 

The following lemma is the key to our comparison of the domain operations in 
t-semirings and b-monoids in Subsection 4.6. 

Lemma 3.8. (i) Let A be a b-monoid. Let a E A and p G sid(^). Then 

a < pT a < pa. (19) 

(ii) There is a d-monoid A such that the implication 

a < pT ^ a < pa 

does not hold. 

Proof, (i) a < pa implies a < pT, since a < T. 

We now show that a < pT implies a < pa. By lattice algebra, a < pT iff 
a = an pT. We calculate 

a = an pT 
= an p{a + a) 
= (a n pa) + (a n pa) 
= pa + (an pa) 
<pa+(ana) 
= pa. 

(ii) The i-semiring A\ of Example 2.6 is clearly also a d-monoid with T = 6, since 
the natural ordering is a chain. It satisfies a = ah = aT, but a ^ = aa. □ 

□ 

3.4 Example Structures 

We now consider some models of TS and KAT. First, note that all examples by 
Conway from Section 2 (that is, Example 2.2 to Example 2.6) are discrete and 
therefore not very interesting. 

Example 3.9. InREL{A), there are2^^K'!ubrelations of A. They form a Boolean 
algebra with P n Q ^ P o Q and P' = A — P. For finite relations, in particular, 
this can be verified in the matrix representation. □ 

Example 3.10. In LAN(S]), the only subidentities are and {e}. They also 
form the only possible test algebra; hence LAN(E) is always discrete. The example 
easily generalizes to arbitrary monoids. □ 
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Example 3.11. In the tropical semiring, all elements are subidentities. How- 
ever, except for and oo, they are not idempotent. Thus the only possible test 
algebra consists of the elements and oo. □ 

Example 3.12. In the max-plus semiring, the only subidentities are —oo and 0. 
These two elements also form the only possible test algebra. □ 

Example 3.13. In the path i-semiring PAT(I]) over S (cf. Example 2.10), the 
subidenties P C I]U{£} can be considered as modelling sets of nodes or states, where 
e also serves as the only "pseudo-node" or "pseudo-state" in an empty sequence. □ 

4. DOMAIN 

In this section, we introduce several equivalent axiomatizations of the domain op- 
eration on TS, among them a purely equational one. For a differentiated picture, 
we present two notions of different expressive power: 

— A notion of predomain that suffices for deriving many natural properties of do- 
main, as we will show in Section 4.4. 

— A notion of domain that is important for more advanced applications, notably 
for treating modal operators. 

We also show independence of the respective axioms, discuss extensions to fa- 
monoids, quantales and relation algebras, and provide examples for the standard 
models. 

4.1 Domain in the Relational i-Semiring 

In order to motivate our abstract definitions, consider again the relational i-semiring 
of Example 2.7. Let R C A x A for some set A. Then the domain of R is given by 
the set 

{ae A\3be A.{a,b) € R}. 

For our abstraction to t-semirings, it should be represented as a binary relation 
instead, viz. as the subidentity 

S{R) = {(a, a) e A X A\3b e A . {a,b) e R}. 

In the following subsections, we will propose algebraic point-free characterizations 
of a predomain and a domain operation. We leave it to the reader to show that they 
are consistent with the relational semiring. But first, let us replace the set-theoretic 
characterization of domain by two more algebraic ones. 
First. 5{R) is the least solution for X of the inclusion 

RCX oR. 

Second, using Example 3.9, the complement S{Ry of S{R) in the Boolean lattice of 
subidentities of REL(yl) — the set of all pairs below A that are not in S{R) — is 
the greatest solution for X of the inclusion 

Xoi?C 

under the constraint X <Z A. Without this restriction, the greatest solution is 
V o R^, where V denotes the universal relation and R^ is the converse of R. 
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Since REL(A) is a complete lattice with respect to set-inclusion, both solutions 
are unique and the functional notation d{R) is justified. In particular, S{R) C A 
is an immediate consequence of the definition in terms of a least solution. Since, 
according to Example 3.9, the subidcntities of REL(A) form a Boolean algebra. 
Lemma 3.7 shows that the two definitions in terms of least and greatest solutions 
are indeed equivalent. 

4.2 Preservers and Annihilators 

As a first step in abstracting to semirings, we introduce some auxiliary concepts. 
Let A G IS and a,b £ A. We say that b left-preserves a if a < ba, and that a 
is left-stable under b if ba < a. If a = ba we say that a is left-invariant under b. 
The concepts of right-preservation, right- stability and right-invariance are defined 
in a similar way. We say that a is a left annihilator of b if ab = 0, and a right 
annihilator if ba ~ 0. These concepts are useful in particular when b £ sid(A). 
Note that every element of A is left- and right-invariant under 1 and that is a left 
and right annihilator of every element of A. 

We now use these concepts for abstracting the characterizations of domain of the 
previous subsection from the relational semiring to arbitrary idempotent semirings 
and test semirings. 

Lemma 4.1. Let A G IS and a G A. The element c ^ A is the least left-preserver 
of a iff 

yb e A.c <b <^ a <ba. (lip) 
Proof. Wc show that (Up) is equivalent to 

a < ca, (20) 
a < ba ^ c < b. (21) 

Equation (21) is one direction of (Up). Setting & = c in (Up) yields (20). Moreover, 
a < ca < ba follows immediately from (20) and c < b. □ □ 

Lemma 4.2. In IS, 

( i ) least left preservers are subidentities, 

(a) least left preservers are multiplicatively idempotent, 

(Hi) the set of least left preservers is a bounded distributive lattice with least ele- 
ment 0, greatest element 1, addition as join and multiplication as meet oper- 
ation. 

Proof, (i) Set 5 = 1 in (Up). 

(ii) cc < c, follows from (i). 

We have already seen in the proof of Lemma 4.1 that (Up) implies a < ca 
(which is (20)), hence a < cca. Insertion into the right-hand side of (Up) 
yields c < cc. 

(iii) This follows from (i) and (ii) with Lemma 3.4. □ 



□ 
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An analogous treatment of greatest left annihilators in IS is, however, not straight- 
forward. By Lemma 3.3, subidentities arc in general not multiplicatively idempo- 
tent; meets and therefore complements need not in general exist. 

There are two obvious solutions: 

(1) Greatest left annihilators can be defined in terms of least left preservers if 
the distributive lattice of least left preservers can be extended to a Boolean 
lattice and if the search for a greatest solution is restricted to this Boolean 
lattice. This extension is possible by the representation theorem for distributive 
lattices (cf. [Birkhoff 1984]) according to which every distributive lattice can 
be isomorphically embedded into some field of sets. 

(2) The considerations can be specialized from IS to TS. Then, least left preservers 
and greatest left annihilators can be defined as mappings into the set of tests. 

Here, we choose the second alternative because of its simplicity, naturalness and 
technical convenience. Then, in particular, least left preservers and greatest left 
annihilators are multiplicatively idempotent subidentities by definition. Since do- 
main elements are essentially abstractions of sets, they should possess a Boolean 
structure. 

For the remainder, we will therefore restrict our attention to test semirings. 
Lemma 4.3. Let A G TS and a G A. Then c is the greatest left-annihilator of a 

Mp e test(A) .p < pa <0. (gla) 
Proof. We must show that (gla) is equivalent to 

ca < 0, (22) 

pa<0^p<c. (23) 

The calculations are similar to those in the proof of Lemma 4.1. □ □ 

It follows from properties of the partial orderingthat least left-preservers and great- 
est left-annihilators are unique if they exist. 

If the test algebra is complete then indeed they always exist, since property (gla) 
is easily seen to be closed under suprema. 

The following lemma shows the relation between the least left-preserver and the 
greatest left-annihilator in a test semiring. 

Proposition 4.4. Let A e TS. For all a e A, let c be the least left-preserver of 
a in A and let g be the greatest left-annihilator of a in A. Then c = g' . 

Proof. Using Lemma 3.7, (Up) and (gla), we calculate 

c<p<^a<pa<^ pa < ^ p' < g g' < p. 

Thus c = g' hy the principle of indirect inequality. □ □ 

4.3 Defining Predomain 

We now define a predomain operation on test semirings using least left preservers. 
Proposition 4.4 provides an equivalent characterization in terms of greatest left 
annihilators. Moreover, we provide a further equivalent characterization in terms 
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of two simple equations. We also show independence of the equational axioms and 
that predomain exists and is uniquely defined for each test semiring. 

Definition 4.5. A structure {A,S) is a t-semiring with predomain (a S-semiring) 
if A G TS and the predomain operation d : A —> test(A) satisfies (Hp), that is, for 
all a e A and p £ test (A), 

(5(a) < p 4=> a < pa. (Up) 
The class of t-semirings with predomain is denoted TSP. 

The predomain is always unique if it exists, since least elements in a partial order 
are always unique. 

We distinguish between predomain and domain, since, as already noted, the 
weaker definition suffices for deriving many natural properties. 

Proposition 4.6. TSP is precisely the class of TS where each A G TSP is 
enriched by a mapping 6 : A test{A) that satisfies, for all a £ A and p G test(A), 

(5(a) <p<=^p'a<0. (gla) 

Proof. Immediate from Proposition 4.4. □ □ 

Note that here we have used the lattice-theoretic dual of the greatest left annihilator 
property. 

We now present an equational characterization of predomain. 

Theorem 4.7. TSP is precisely the class of TS where each A G TSP is enriched 
by a mapping S : A test(A) that satisfies, for all a G A and p G test(A), the two 
equations 

a < 5{a)a, (dl) 
<5(pa) < p. (d2) 

Proof. We prove a somewhat stronger statement. First, we show that (dl) is 
equivalent to 

(5(a) < p ^ a < pa, (24) 

which is one direction of (Up). Obviously, (24) implies (dl), setting p = (5(a). For 
the converse direction, a < S{a)a and (5(a) < p imply a < pa by monotonicity of 
multiplication. 

Second, we show that (d2) is equivalent to 

a <pa ^ (5(a) < p, (25) 

which is the other direction of (Up). Obviously, (25) implies (d2), instantiating a by 
pa and using multiplicative idempotence of p. For the converse direction, observe 
that a < pa implies a = pa, since p < 1. Thus (5(a) = 6{pa) < p hy (d2). □ 

Corollary 4.8. TSP is a variety. 

We have thus presented three equivalent axiomatizations for predomain. They are 
all of particular interest. The use of the equivalences (Up) and (gla) allows us 
to reduce certain TSP-expressions to TS-expressions that do not mention domain. 
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Moreover, both capture the basic algebraic intuition behind this concept. The 
two equational axioms (dl) and (d2) are perhaps less intuitive, but very beneficial 
for several reasons. First, they allow us to classify t-scmirings with domain in 
Section 8. Second, they enable us to connect (5-semirings with modal algebras and 
logics, which is. however, beyond the scope of this work. Third, they support 
a simple check whether some given mapping in some test semiring is a domain 
operation. The three axiomatizations taken together give us maximal flexibility in 
calculations. 

We now show that the equational axiomatization is minimal: 
Theorem 4.9. (dl) and (d2) are independent in TS. 

Proof. We provide t-semirings in which precisely one of these axioms holds. 

Set 5{Q) = (5(1) = 1 in the Boolean semiring A2 (Example 2.2). Then (dl) holds 
by neutrahty of 1. But ^(01) = 1^0. Thus (d2) does not hold. 

Set (5(0) = (5(1) = in the same (and only) Boolean semiring. Then (d2) holds 
by leastness of 0. But 1 ^ = 01 = (5(1)1. Thus (dl) docs not hold. □ □ 

We will see in the following subsection that (dl) and (d2) together imply that 
5{a) = iff a = 0. 

We now show that there also is always a meaningful — even if not very interesting 
— predomain definition for an i-semiring by choosing the discrete algebra of tests. 

Lemma 4.10. A discrete t-semiring admits precisely one predomain operation. 

Proof. Let A e TS. The mapping / defined by / : i-> and / : a 1 for aU 
^ a e A satisfies (dl) and (d2). 

For (dl), if (5(a) = then a = 0. Hence S{a)a = (5(0)0 = = a. Otherwise, if 
a 7^ then (5(a) = 1. Hence S{a)a = la = a. 

For (d2), if (5 (pa) = then (d2) holds trivially. Otherwise, if (5 (pa) = 1 then 
pa ^ and therefore also p 7^ 0. Thus p = 1 and (d2) also holds. 

Thus (5 is a well-defined predomain operation for A. 

Finally, uniqueness is immediate from Lemma 4.11 (i). which will be shown in 
the next subsection. □ □ 

Let us conclude this section with a general remark. In opposition to relational 
semirings, the elements of general test semirings are intensional, that is, they are 
not completely determined by the elements of the associated test algebra. For a 
given i-semiring there may be many test algebras that can be embedded. These 
and the choice of the associated (pre)domain operation determine the precision 
of measuring properties of the Kleenean elements. Thus our definition of domain 
leaves the possibility of distinguishing not only between extensional and intensional 
behavior, but also between different degrees of intensionality. 

4.4 Predomain Calculus 

A look at the relational semiring shows that the domain operation has further useful 
and interesting algebraic properties. We will now show that many of them can 
already be derived from our simple definition of predomain. We will see, however, 
in the remaining sections that an additional equational axiom is needed for more 
advanced applications. The statements of this section are useful for a more intuitive 
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understanding of domain. They also serve as the basic hbrary of rules in a domain 
calculus. 

Here, we list algebraic properties of domain without discussing their counterparts 
in the relational model. We leave this exercise to the reader or appeal to intuition. 

Lemma 4.11. Let A eTSP. Let a,b e A, p e test{A) and q e s\d{A). 

(i) S is fully strict: 

S{a) < ^ a < 0. (26) 

(ii) S is additive: 

6{a + b)^S{a)+d{b). (27) 

(Hi) S is monotonic: 

a<b^S{a) <6{b). (28) 

(iv) S is an identity on tests: 

6{p)=p. (29) 

(v) S is idempotent: 

5{5{a))^5{a). (30) 

(vi) 5 yields a left invariant: 

a — S{a)a. (31) 

(vii) S satisfies an import/export law: 

S{pa)^p6ia). (32) 
(via) 5 satisfies a decomposition law: 

6{ab) < S{a6{b)). (33) 
(ix) S commutes with the complement operation on tests: 

Sip)' = S{p'). (34) 

Proof, (i) S{a) <0^a<0a4^a<0 follows from (Up). 

(ii) Using (gla), we calculate 

S{a + b) <p^p'{a + b) < 
^p'a+p'b < 
^p'a < Ap'6 < 
^S{a) <pAS{b) <p 
■^d{a) + 5{b) <p. 

The claim then follows from the principle of indirect inequality. 

(iii) Using (27), this is a standard result from lattice theory. 

(iv) p < 5{p)p < d{p) follows immediately from (dl) andp < 1. S{p) ~ S{pl) < p 
follows immediately from (d2). 
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(v) Immediate from (iv). 

(vi) By (dl) it remains to show that S{a)a < a, which is evident, since 6{a) 6 
te5t{A). 

(vii) By Boolean algebra and (27) we have 5{a) = S{pa) + S{p'a). Now 

pS{a) ~ p5{pa) +pS{p'a) = S{pa), 

since S{pa) < p and S{p'a) < p' by (d2). 

(viii) By (Up) it suffices to show that ah < 6{aS{b))ab. We calculate 

ab < aS{b)b < S{aS{b))aS{b)b < S{aS{b))ab. 

(ix) Immediate from (iv). □ 

□ 

Most of these equations are also useful for simplifying terms on t-scmirings that 
mention domain. 

To conclude this section wc note that in presence of a greatest element the pre- 
domain operation takes part in a proper Galois connection. 

Lemma 4.12. // A G TSP has a greatest element T then for all a ^ A and 
p G test (A) 

S{a) < p^ a < pT. 

Proof. (^) a = 5{a)a < pa < pT. 
(^) S{a) < S{pT) ^ p. □ 

Note, however, that this Galois connection cannot be used as an alternative 
definition of domain, since it does not give all the properties we have derived so 
far. This works only in the case of b-monoids (see Section 4.6). 

4.5 Locality and Domain Definition 

Our definition of domain for t-semirings is not yet complete. There is a natural 
property of domain — called locality — that holds in the relational model but which 
is independent of (dl) and (d2). Namely 

d{RoS):=^S{Ro6{S)) 

holds for all R, S <E A X A, where A is a set. We leave the verification to the reader. 
Intuitively, for computing the domain of a relation R o S, information about the 
domain of S suffices; information about the inner structure or the codomain of S 
is not needed. 

In TSP, only one half of locality is derivable, as Lemma 4.11 (viii) shows, the 
other half is independent. 

Lemma 4.13. There is an A G TSP in which 

5{aS{b)) < S{ab) 

does not hold for all a,b £ A. 
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Proof. Consider again the discrete t-semiring of Example 2.4. According 
to Lemma 4.10, the mapping / :0i-^0, / and / : a ^ 1 is a predomain 

operation. Then f{af{a)) = f{al) = 1 and f{aa) = /(O) = 0. That is, f{aa) < 
f{af{a)) holds, but not f{aa) = f {af{a)). □ □ 

Due to independence of locality, we add the property of Lemma 4.13 to the 
predomain axioms to define the domain operation. However, we would like to 
distinguish between the two definitions, since in many applications, that property 
is not needed. 

Definition 4.14. A t-semiring with domain (a 5-semiring) is a (S-semiring in 
which the predomain operation j : A — > test (A) also satisfies 

5{aS{h)) < 6{ab), (dloc) 

for all a,b ^ A. We denote the class of t-semirings with domain by TSD. 

We also use the term S-locality to distinguish locality of domain from that of 
codomain. 

We now impose a necessary and sufHcient condition such that a discrete S- 
semiring is also a (5-semiring. In analogy to the definition of an integral domain in 
ring theory, we say that a semiring A is integral if it has no zero divisors, that is, 

a6<0^a<0V&<0. (35) 

holds for all a,b G A. 

Lemma 4.15. A discrete t-semiring is a 5-semiring iff it is integral. 

Proof. Let A be a discrete t-semiring. From Lemma 4.10 we know that / 
defined by / : i— > and / : a — > 1 for all 7^ a e A is the unique predomain 
operation on A. Thus ^ is a (5-semiring. 

Let A be integral. We must show that f{af{b)) < whenever f{ab) < 0. So let 
f{ab) < 0. Then the construction of / implies that ab < 0, hence a < or & < 0, 
since there are no zero divisors. In the first case, 

fiafib)) = /(0/(6)) = /(O) = 0, 

by construction of /. In the second case 

fiafib)) = /(a/(0)) = /(aO) = /(O) = 0, 

again by construction of /. 

Now assume that / satisfies (dloc), that is, /(a/(6)) < /(a6), and let ab < 0. 
Thus fiafib)) < /(a6) < and hence a/(6) < by construction of /. There are 
two cases. 

If fib) = 1 then a/(6) = al = a. Hence afib) < implies a < 0. 
If /(6) = then 5 = by construction of /. 

Thus ab < implies a < or 6 < 0, that is, ^ is integral. □ □ 

We will now show that this condition can be generalized to a sufficient condition 
on non-discrete t-semirings. 

Lemma 4.16. Every integral 5-semiring is a 5-semiring. 
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Proof. Let A be integral. Thus ab < implies a < or & < 0. We use the 
principle of indirect inequality and show 

S{ab) <p^ S{aS{b)) < p. 

Using Proposition 4.6, 

6{ab) <p^ p'ab < 

^pa<OVb<0 
<^S{a) <p\/S{b) <0. 

In the first case S{aS{b)) < S{a) < p. In the second case, 

6{aS{b)) = 6{a0) = S{0) = < p. 

□ □ 

4.6 Domain in b-IVIonoids 

Definitions for predomain have originally been given for b-monoids and b-quantales 
(cf. [Aarts 1992; Moller 1999; Desharnais and MoUer 2001]). There, the situation 
is considerably simpler. 

First, as we have pointed out in Section 3, the entire set of subidentities of a 
b-monoid forms a Boolean sublattice and therefore a suitable test algebra. Second, 
predomain can now be defined in terms of the Galois connection (cf. Lemma 4.12) 

S{a) <p^a<pT, (36) 

from which the equational axioms 

a < S{a)T, (37) 

SipT) < p (38) 

are obtained in a generic way. Note that (36) and the equations (37) and (38) are 
just (Up) and the equations (dl) and (d2), when T is replaced by a. 

In fact, by Lemma 3.8, in b-monoids, (37) is equivalent to (dl) and (38) is 
equivalent to (d2). However, (lip) does not express a Galois connection. It is 
therefore rather surprising that (dl), (d2) are equivalent to (Up) in TSP. Moreover, 
standard Galois theory would suggest that also (28) is needed as an equational 
axiom. The fact that this is not the case in TSP and therefore also in b-monoids is 
rather surprising. 

We will now show formally that for b-monoids, the definition of predomain via 
least left preservers and that via the Galois connection coincide. We also show 
that the requirement on the monoid cannot be much relaxed. This means that our 
definition of pre-domain is really non-trivial. 

Lemma 4.17. 

(i) For every b-monoid, (Up) and (36) are equivalent. 

(ii) There is a d-monoid in which (Up) holds, but not (36). 

Proof, (i) Immediate from Lemma 3.8 (i). 
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(ii) Let S{0) = and 6{a) — 1 for all a ^ in the discrete t-semiring A\ 
(Example 2.6). Then clearly (lip) holds, but (36) does not hold by Lemma 3.8 (ii). 

□ □ 

In a b-quantalc, domain is a priori well defined by the Galois connection. 
4.7 Example Structures 

We now consider some models in TSP and TSD. 

Example 4.18. In the Boolean semiring A2 (Example 2.2), the test algebra co- 
incides with A2. Setting 6{x) = x = is compatible with the definition of f 
in Lemma 4^.10. Thus it satisfies (dl) and (d2). Since A2 is integral, also (dloc) 
holds. Moreover, this definition is unique. □ 

Example 4.19. InA^ (Example 2.4), the test algebra is {0, 1}. Setting 5 (Q) = 0, 
5{a) = 1 and 5{1) = 1 is compatible with the definition of f in Lemma 4. 10. Thus 
it satisfies (dl) and (d2). Since A^ is integral, also (dloc) holds. Moreover, this 
definition is unique. □ 

Example 4.20. The only possible test algebra of the language i-semiring (Ex- 
ample 2.9) IS {0, {e}). We set 5{%) = and 6{L) = {e} for all%^L<ZT.*. This is 
compatible with the definition of f in Lemma 4-10. Thus it satisfies (dl) and (d2). 
Since the language model is integral (since it is free), also (dloc) holds. Moreover, 
this definition is unique. The example easily generalizes to arbitrary monoids. □ 

Example 4.21. In the path i-semiring (Example 2.10), the test algebra is 2^'-^^'^^. 
For S C E*, the set S{S) consists of all starting (pseudo-)nodes/states of sequences 
in S. Although the semiring is not integral, (dloc) holds. □ 

Example 4.22. In the tropical semiring, the test algebra consists solely of 
and 00. Taking S{oo) = 00 and S{n) = is compatible with the definition of f in 
Lemma 4-10. Thus it satisfies (dl) and (d2). Since the tropical semiring is integral, 
also (dloc) holds. Moreover, this definition is unique. □ 

These examples show that our definition of domain is meaningful in all the usual 
models, although non-trivial only in the relational model and the path model. 

5. CODOMAIN 

In this section, we introduce an equational axiomatization of codomain for idempo- 
tent semirings and two concepts of duality, one based on the opposite of a semiring, 
the other one based on the operation of converse, that allow an automatic transfer 
between statements about domain and those about codomain and save half of the 
work in proofs. 

The definition of codomain parallels that of domain. For a set-theoretic relation 
i? C A X A, it is defined as 

p{R) = {beA\3aeA.{a,b)eR}. 

For a t-semiring this suggests to define a codomain operation as a least right pre- 
server or a greatest right annihilator. Similarly to domain, there is a property of 
p-locality that is independent from the other postulates. 
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5.1 Codomain Definition 

As usual, the opposite of a semiring (A, +, •, 0, 1) is the structure {A, +, 0, 1) where 
b = b ■ a. We denote the opposite of a semiring A by A°p. 

Definition 5.1. (i) K t- semiring with precodomain {a p- semiring) is a, stinctxive 
{A, p) such that is a semiring with predomain. 

(ii) A t-semiring with codomain (a p-semiring) is a structure {A, p) such that 
{A°'P , p) is a semiring with domain. 

Lemma 5.2. Let A he a p-semiring. 

(i) The mapping p has type A —> test (A). 

(ii) For all a € A, the element p{a) is a least right preserver of a, that is, for all 
p e test(A), 

p(a) < P 'i^ a, < ap. (Irp) 

(Hi) For all a G A, the element p{a) is a greatest right annihilator of a, that is, 
for all p G test(y4), 

< p ^ ap' < 0. (gra) 

(iv) p satisfies the following two equations. 

a < ap{a), (cdl) 

p{o-p) < p. (cd2) 

(Hi) A is a p-semiring if also the following equation holds. 

p{p{a)b) < p{ab). (cdloc) 

The proof is immediate from the definition and the resuhs for predomain and 
domain in Section 4. More generally, all results of that section carry over to pre- 
codomain and codomain. Therefore we will only quote properties of domain even 
when talking about the codomain operation. 

We call a t-semiring with predomain and precodomain a dp-semiring and a t- 
semiring with domain and codomain a dp-semiring. When we do not want to 
distinguish, we uniformly speak about test semirings with domain and denote the 
associated class by TSD. 

Lemma 5.3. There is a non-integral 5 p-semiring. 

Proof. We have seen that (dl), (d2), (dloc), and (cdl), (cd2), (cdloc), respec- 
tively, hold in the relational model. However it its obvious that set-theoretic rela- 
tions need not be integral. Let R relate all even numbers and S all odd numbers 
on N. Then i? 7^ 7^ 5*, but i?^ = 0. □ □ 

The path algebra is another non-integral (5p-semiring. 

5.2 Codomain via Converse 

In the relational semiring, it is evident that the domain of a relation is the codomain 
of its converse and vice versa. This coupling of domain and codomain via the 
concept of converse induces a second notion of symmetry or duality, besides the 
one based on opposition. As usual, the operation of converse in an i-semiring is 
required to be involutivc, additive and contravariant. 
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Definition 5.4. (i) An i-semiring with preconverse is a structure {A,°) such 
that A is an i-semiring and ° : A ^ A is an operation that satisfies the 
following equations. 

a°° = a, (cl) 
(a + by =a° + h\ (c2) 
{ab)° = b°a°. (c3) 

(ii) An i-semiring with weak converse is an i-scmiring with preconverse such that 
all p < 1 satisfy 

P° < P- (c4) 

(iii) An i-semiring with converse [Crvenkovic et al. 2000] is an i-semiring with 
preconverse that satisfies the equation 

a < aa°a. (c5) 

It is easy to show that the properties 

1° = 1, (39) 

0° = 0, (40) 

a<b^a° <b° (41) 

hold in every i-semiring with preconverse. The equation 

P°=P (42) 

holds in every i-semiring with weak converse. Moreover, every i-semiring with 
converse is an i-semiring with weak converse. 

Using the operation of converse we can express the duality between domain and 
codomain within the test semiring rather than at the meta-level. 

Proposition 5.5. Let A be a Sp-semiring (or a Sp-semiring) with weak con- 
verse. Then for all a ^ A, 

<5(a°) = p{a), (43) 

p{a°)=S{a). (44) 

Proof. We only show (43), thus verifying that 6{a°) satisfies Definition 5.1 of 
codomain. 

(cdl) By (dl), a° < S{a°)a°, thus 

a^a°° < {S{a°)a°)° = a°°{5{a°))° ^ aS{a°). 

(cd2) By(d2), 

5{{ap)°) = S{p°a°) = Sipa°) < p. 

(cdloc) By (dloc), 

S{{aby) = S{b°a°) = S{b°S{a°)) = S{b°{S{a°)y) = S{{S{a°)b)°). 
The proof of (44) is dual. □ □ 
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We could therefore take (43) as definition of codomain in a t-semiring with weak 
converse. 

Corollary 5.6. Let A be a dp-semiring with weak converse. For all a Cz A, 
p e test (A), 

S{a°p) = pipa), (45) 
p{a°p) = S{pa). (46) 

5.3 Equivalence of (5-Locality and p-Locality 

It may come as a surprise that domain and codomain enjoy perfect symmetry with 
respect to locahty of composition. Wc prepare the proof by an auxiUary property. 

Lemma 5.7. A dp-semiring A satisfies (dloc) iff for all a,b € A, 

ab<0<:^ p{a)S{b) < 0. (47) 

Proof. We first show that (dloc) imphes (47). 

ab<0^ 6{ab) < 

S{aS{b)) < 
^ 0(5(6) < 
^ p{a) < S{bY 
^ p{a)S{b) < 0. 

The first and third steps of the proof use (26), the second step uses (dloc), the 
fourth step uses (gra) and the last step is by Boolean algebra. 

Now we show that (47) imphes (dloc). First, by (32) p{a)6{b) ~ p{aS{b)) and 
therefore, by (26) and (47) 

ab<0^ aS{b) < 0. (48) 

Using Boolean algebra, (48) thrice and Boolean algebra again we calculate 

5{ab) <p<^p'S{ab) < 
O p'ab < 
<^ p'aS{b) < 
^p'S{aS{b)) < 
<^<5(ai5(6)) <p, 

whence 6{ab) = S{aS{b)) by the principle of indirect inequality. □ □ 

Since (47) is symmetric in S and p, wc obtain 

Corollary 5.8. A 5p-semiring is a S -semiring iff it is a p-semiring. 

6. IMAGE AND PREIMAGE 

In many applications, domain and codomain operations occur more specifically 
as image and preimage operations for some given test element. In the relational 
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semiring, the preimagc of a set B <Z A under a relation R C_ A x A is defined as 

R:B ^ {x e A\3y e B .{x,y) e R}. 

We leave it to the reader to verify that this is equivalent to the point-free definition 
R: B = 6{R o B). Dually, the image of B under R is defined as 

B:R= {y e A\3x e A.{x,y) e R}, 

which is equivalent to the point-free definition hy B : R ~ p{B o R). 

As usual, we abstract this point-free definition from sets to semirings and define 
for every A G TSP the image and the preimage operator, both denoted by : , as 
mappings of type test(A) x A — > test(A) and A x test(A) — » test(A) by 

p:a = p{pa), (49) 
a:p = S{ap), (50) 

for all a G A and p G test(y4). We henceforth use this notation and avoid domain 
and codomain whenever this is appropriate. In particular, we often use a : 1 and 
1 :a instead of S{a) and p{a). We also overload this notation to definitions with 
respect to 5 and p. Since the preimage and the image operator are multiplications, 
we stipulate that they bind stronger than addition. 

Moreover, since image and preimage are defined by codomain and domain and 
since codomain and domain are coupled via the concept of opposition, there is 
again an automatic transfer between properties of image and those of preimage. 
Like in previous sections, we therefore only mention properties of preimage and 
quote preimage properties even when talking about the image operation. 

The following lemma connects preimage with least left preservation and anni- 
hilation. Like (Up) and (gla), this allows us to eliminate certain occurrences of 
preimage and image operators. 

Lemma 6.1. Let A G TSP. For all a e A and p G test(A), 

a:p<q<^ap< qa, (51) 
a:p < q 4^ q'ap < 0. (52) 

Proof. Immediate from (lip), and Lemma 3.7, respectively. □ □ 

From (32) we get the following import/export rule for the preimage. 

Corollary 6.2. Let A e TSP. For all a e A and p,q G test(A), 

p{a : q) = (pa) : q. (53) 

Lemma 6.1 has the following consequence that couples preimage and image op- 
erations. 

Lemma 6.3. Let A G TSP. The preimage and the image operation satisfy the 
following exchange law. For all a E A and p G test(A), 

a:p < q <^ q' : a < p' . (54) 

Proof. Immediate from Lemma 6.1 and Lemma 3.7. □ □ 
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The equivalence (54) is a weak analogue of the Schroder rule from the relational 
calculus. Lemma 6.3 has the following immediate consequence. 

Corollary 6.4. Let A e TSP. For all a e A and p e test(A), 

{p:a)q<Q^p{a:q) <0. (55) 

The decomposition property becomes 

p:{ab) < {p:a):b; (56) 

under (dloc) this becomes an equality. 

Finally, locality yields the following interaction of domain with preimage and of 
codomain with image. 

Lemma 6.5. Let A eTSD. Then for all a, b e A, 

S{ab)^a:5{b), (57) 
p{ab) p{a):b. (58) 

7. DOMAIN, CODOMAIN AND KLEENE STAR 

So far, we have only investigated domain and codomain operations in test semirings, 
that is, in absence of the Kleene star operation. In fact, there is no need for 
further axioms in presence of the Klcenc star. Therefore, in this section, wc only 
need to investigate the interaction of domain and codomain and that of image and 
preimage with the Klcenc star. It turns out that only image and preimage show 
nontrivial behaviour. In particular wc will sec that when the Klccne star is adapted 
to occur within domain and codomain operators, a finite equational axiomatization 
instead of the Horn clauses (*-3) and (*-4) is possible. Moreover, one of these 
equational axioms can be interpreted as an efficient reachability algorithm, when 
interpreted over finite relations; its proof is by a formal derivation from a less 
efficient specification. 

Henceforth, K-semirings are called K(5-semirings, Kp-semirings, K(S-semirings, 
K/5-semirings, K(5/c»-semirings and Ki5/5-semirings, when they are extended by the 
respective opcration(s) and defined by the respective axioms. Moreover, when wc 
do not want to distinguish, wc uniformly speak of Kleene algebra with predomain 
or Kleene algebra with domain. Wc denote the classes by KAP and KAD. 

First, the properties of the Klcenc star from Lemma 2.1 have some trivial conse- 
quences for domain and codomain. 

Lemma 7.1. Let A G KAP. Then for all a e A, 

(5(a)* = 1, (59) 
<5(a*) = 1. (60) 

The Kleene star in combination with images or preimages has a much richer and 
more interesting behaviour. The following three statements show that preimages 
in combination with star satisfy expressions analogous to (*-l) and (*-2) for K- 
semirings. Like their counterparts in KA, they are the working horses for many 
interesting derivations. We give variants for KAD, because presence of (dloc), that 
is, (ab) :p = a:{b:p), allows a more compositional treatment of images and preim- 
ages. 
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Lemma 7.2. Let A e KAP. For all a E A and p G test(A), 

p + a* :(a : p) < a* :p > p + a :(a* :p). 

The inequalities become equations, when A G KAD. 

Proof. By (9), 

a* :p = {1 + a*a) -.p = (1 :p) + {a* a) ■.p>p + a*:{a:p). 

The last step uses (33). The second half of the claim is shown analogously. The 
equations follow by using (dloc) instead of (33). □ □ 

Note the analogy to (9) in KA. By Lemma 7.2, a* : p is a fixed point of the mapping 
Xx.p + a:x. 

Lemma 7.3. Let A e KAD. For all a e A and p e test(^), 

a:p < p ^ a* :p < p. (61) 
Proof. Using Lemma 6.1 and (12), we calculate 

a:p < p <^ ap < pa ^ a*p < pa* ^ a* :p < p. 

□ □ 

Lemma 7.3 can also be viewed as an assertion about invariants: an invariant of a 
is also an invariant of a*. Moreover, it has two important consequences. First, we 
will use it in the following lemma to derive variants of the statements of Lemma 7.2 
that lead to more efhcicnt evaluation of the expressions involved. Second, when the 
Kleene star is adapted to occur only within preimages, we will show in the following 
lemma that there are even equivalent equational characterizations. 

Lemma 7.4. Let A e KAD. Let a e A and p,q e test(^). The following proper- 
ties are equivalent and hence by Lemma 7.3 hold in KAD. 



a:p < p ^ a* :p < p, (61) 

a : p + q < p ^ a* : q < p, (62) 

a* :p<p + a* -.{p'ia-.p)), (63) 

a*:p = p+{ap'y:{a:p). (64) 



Proof. Wc first show that (61), (62) and (63) are equivalent. 

(61) implies (62). a:p + q < p iS a: p < p and q < p and therefore a* :p < p hy the 
assumption. Hence also a* :q < p hy monotonicity. 

(62) implies (63). For a* -.p < p + a* ■.{p'{a:p)) it suffices by (62) to show that 

p<p + a* -.{p'ia-.p)), 
a-.{p + a* -.{p'{a-.p))) < p + a* -.(p'ia-.p)). 
The first inequality is trivial. The second one is proved as follows. 

a:ip + a*:ip'ia:p))) = {a-.p) + a-.{a* -.{p'ia-.p))) 

= {p + p'){a-.p)+a-.{a*-.{p'{a-.p))) 
<p + p'{a-.p)+a-.{a*-.{p'{a-.p))) 
= p + a* :{p'{a:p)). 
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The third step uses p{a -.p) < p; the last step uses Lemma 7.2. 

(63) imphes (61). Let a* :p < p + a* :{p'{a -.p)) and assume a:p < p. Then 

a* -.p < p + a* :{p'{a :p)) < p + a* :{p'p) = p + a* : = p + = p. 

We now show that (62) imphes (64) and that (64) imphes (61). This yields simpler 
proofs than a direct circle. 

(62) imphes (64). First, p + {ap')* -{a-.p) < p + a* -.{a-.p) = a* -.phy monotonicity of 
the Kleene star, the fact that p < 1 and Lemma 7.2 with (dloc). For the converse 
direction, that is, a* -.p < p + {ap')* -.{a-.p), it suffices by (62) to show that 

P<P + {ap')* ■■(a:p), 
a:{p + {ap'y -.{a-.p)) <p+ {ap')* -.(a-.p). 

The first inequality is trivial. The second one is proved as follows. 

a:{p + {ap')* -.{a : p)) ^ a : p + {a{p + p')) -.{{ap')* -.{a-.p)) 

= a:p+{ap) -.{{ap')* -.{a-.p)) + {ap') -.{{ap')* -.{a-.p)) 

<a:p+ {ap) : 1 + {ap)' -.{{ap')* -.{a-.p)) 

= a:p+{ap'):{{ap')*:{a:p)) 

= {ap')* --{a-.p) 

<p+{ap')*:{a:p). 

The first two steps use additivity of domain, the third step uses {ap)* :{a:p) < 1, 
the fourth step uses that {ap) : 1 = a:p, the fifth step uses (61). 

(64) implies (61). Assume a:p <p. Then 

a* -.p = p + {ap')* -.{a-.p) 
< p + {ap')* -.p 
= p+{ap')* ■.{{ap'):p) 
= p+ {ap')* : 
= p. 

The third step uses Lemma 7.2, the fourth step uses that {ap'):p — 5{app') = 
(5(0) = 0, the fifth step uses (26). □ 

Note the analogy of (62) to b + ac < c ^ a*b < c, that is, (*-3). 

Corollary 7.5. Let A e KAD. For all a,b,cE A and p e test(A), 

{ac) :p + b : q < c:p ^ {a*b) : q < c:p. (65) 

Proof. The claim follows immediately from (62), replacing p by c:p, q hy b:q 
and using (dloc). □ □ 

Already Lemma 7.2 describes an unfolding step of the preimage operation. How- 
ever, this is not the most efficient way of unfolding. In a* :p = p + a* :{a:p), for 
instance, it is not necessary to perform a full a-itcration from a : p. Since all steps 
starting from p have already been considered, it suffices to perform the a-iteration 
from p'-states. This is expressed by (64). 
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To conclude this section we give another example that shows that the image and 
preimage mappings in a KAD again induce a K-semiring. 

Example 7.6. (An algebra of predicate transformers) Let A G KAD and con- 
sider for all a £ A the set Fa of mappings fa = \x.(a : x). We write fa{p) = a-'-P 
and define addition and multiplication on Fa by 

{fa(Bfb)ip)^faip)+fbip), (66) 
{faQfb)ip)=faifbip)). (67) 

for all p G test(74). Then it is easy to verify that (i^^i, ®, 0, /q, /i) is a t-semiring 
with set of tests {fp \ p G test(A)}. Moreover, setting 

f:{p)=a*:p, (68) 

we obtain 

/i ® (/a /:) = /:, 
/i ® (/: fa) = /: 

from the first half of Lemma 7.2 and 

fb if a fc) <fc^ /: ®fb<fc 

from Corollary 7.5. Hence (Fa, G), Q, fo, fi, {.)*) is a left K-semiring. □ 

8. KLEENE ALGEBRAS AS VARIETIES 

In this section we classify some of our results in the context of universal algebra. 

We identify varieties with equational classes. A variety is finitely based if it can 
be axiomatized by a finite set of equations. The following lemma is immediate. 

Lemma 8.1. TSD is a finitely based variety. 

The next lemma is not so immediate. It has been shown in [Kozen 1994b; Pratt 
1990] that KA with a residuation operation is a finitely based variety. The same 
phenomenon might occur when adding a domain or codomain operation. The 
following lemma shows that this is not the case. A similar argument has been used 
in [HoUenberg 1997] for algebras related to PDL. 

Lemma 8.2. KAP and KAD are not finitely based varieties. 

Proof. In [Conway 1971], p. 106, Conway gives an algebra Ap for showing 
that the algebra of regular events (cf. Example 2.9) is not finitely based. For 
every finite set of equations and every prime p there is a particular valid equation 
parameterized by p that is not deducible, and there is an algebra Ap parameterized 
by p that satisfies the finite set of equations, but not the given additional equation. 
According to Conway, every expression in the language of KA is equivalent to some 
sum of terms each of which is either or 1 or is simultaneously 0-frec, 1-frec and 
+-free. This implies that in Ap, which is constructed from such normal form terms, 
ab < implies that a < or 6 < 0, thus the integral condition (35) holds. 

Now, in presence of domain, we consider the discrete t-semiring on Ap. Then by 
Lemma 4.10 and Lemma 4.15, the mapping defined by 6(0) = and S{a) = 1 for 
all ^ a G satisfies (dl), (d2) and (dloc). In particular 7^ 1. 



(69) 
(70) 

(71) 
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Thus the expansion of Ap satisfies the finite set of equations and the domain 
axioms, but not the given additional equation. Consequently, the given finite set 
of equations is not complete for KAP and KAD. □ □ 

9. RECONSTRUCTING NOETHERICITY 

In this section we demonstrate the expressive power and applicability of KAD in 
the field of termination analysis of programs. We show that concepts of Noethcric- 
ity and well-foundedncss can be algebraically reconstructed. We further show that 
our concepts subsume those in Cohen's w-algebra [Cohen 2000], an extension of KA 
with infinite iteration that is defined as a greatest fixed point by expressions similar 
to (*-l), (*-2), (*-3) and (*-4). Moreover, adapting a result by Goldblatt [Gold- 
blatt 1985], we show that for transitive relations our concept is also equivalent to 
an algebraic variant of Lob's formula from modal logic [Bull and Segerberg 1984; 
Chellas 1980]. Finally, we show that some simple and well-known properties of 
well-founded relations can be calculated in KAD in a simple and elegant way. 

Intuitively, a set-theoretic relation R C A x A is well-founded if there are 
no infinitely descending i?-chains, that is, no infinite chains xo,xi,... such that 
€ R. Moreover, R is Noetherian if there are no infinitely ascending 
i?-chains, that is, no infinite chains xq.xi, . . . such that (x^, x^+i) G R. 

Thus, R is not well-founded if there is a non-empty set P C ^ (denoting the 
infinite chain) such that for all a; e P there exists some y G P with (y, x) E R. This 
is equivalent to saying that P is contained in the image of P under R, that is, 

PCP:P. (72) 

Consequently, if R is well-founded, then only the empty set may satisfy (72). 

9.1 Noethericity: Definition and Simple Properties 

Abstracting to A g TSD, we say that a is well-founded if for all p G test(A), 

p <p:a^ p <0. (73) 

Moreover, a is Noetherian if for all p G test(A), 

p<a:p^p<0. (74) 

We now calculate abstract algebraic variants of some simple and well-known prop- 
erties of well-founded and Noetherian relations. Again, as in previous sections, we 
restrict our attention to Noethericity, which is expressed in terms of preimages. We 
do not explicitly mention well-foundedness properties that hold by duality in the 
opposite semiring. In the context of termination, refiexivity is not a desirable prop- 
erty, as we will see. Therefore the transitive closure a"^ = aa* is more interesting 
than a* itself. We say that a is transitive, if aa < a. 

Lemma 9.1. Let A e KAD. Let a,be A and let 0^1. 

(i) Q is Noetherian. 

(a) Every test p ^ is not Noetherian. 

(Hi) Lf b is Noetherian and a <b, then a is Noetherian. 
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(iv) If a is Noetherian, then aFll ~ 0, that is, a is irreflexive^ . 

(v) If a ^ is Noetherian then a aa, that is, a is not dense. 

(vi) a is Noetherian iff is Noetherian. 

(vii) a* is not Noetherian. 

Proof, (i) Let p <0:p. Then p <0, since 0:p ~0. 

(ii) Every such p satisfies 

p < p ■ p = p:p. 

(iii) Let a be Noetherian an let b < a. Then 

p<b:p^p<a:p^p<0. 

Thus b is Noetherian. 

(iv) We show that is the only common lower bound of a and 1. Indeed, let p 
be such a lower bound. Then, since p < a, by (iii) p is Noetherian. On the 
other hand, p <1 and by (ii) we infer p = 0. 

(v) Let a be dense and Noetherian. a < aa implies a:p < a:{a:p), by mono- 
tonicity. Thus a:p<0 for all p G test(j4). The particular case p = 1 yields 
a < 0, a contradiction. 

(vi) Let a be Noetherian and remember that a+ = aa*. We calculate 

p < :p ^ a* :p < a* :(a^ :p) 
■i^ a* :p < a :{a* -.p) 
^a*:p<0 
^l:p<0 
^p<0. 

The second step uses (dloc), a*a* ~ a* and aa* — a*a. The third step uses 
Noethericity of a. The fourth step uses 1 < a*. Thus a+ is Noetherian. 
Now let 0+ be Noetherian. Then, by (iii) and a < a"*", a is Noetherian. 

(vii) By (ii). 1 is not Noetherian. Then 1 < a* implies that a* is not Noetherian 
using (iii). □ 

9.2 Noethericity and cj-Algebra 

We now show how our definition of Noethericity is related to the one in Cohen's 
w-algebra. We do not introduce the axioms for this class. Intuitively, while an 
expression a* denotes finite non-deterministic iteration of a, a" denotes infinite 
iteration. As an w-regular expression, a" is intended to denote a set of words 
of infinite length or streams. Consequently, in cj-algebra Noethericity of a means 
absence of proper infinite iteration of a; thus a'^ = 0. In our calculations we only 
need the following property. 

a'^ < aa"^. (75) 



^Thc proof will show that this particular meet exists. 



34 



J. Desharnais et al. 



Lemma 9.2. Let A be an uj-algebra that is also a 5-semiring. Then for all a ^ A, 
if a is Noetherian then a" — 0. 

Proof. Let a be Noetherian. Using (33) we obtain 

S{a'^) < J(aa") < 6{a5{a'^)) ^ a : (5(a"). 

Thus 6{a'^) = by definition (74) of Noethericity. By Lemma 4.11(i) (strictness of 
domain), this is the case if and only if a'^ ~ 0. □ 

The converse imphcation does not hold. In the language semiring we have a'^ = 
if 1 n a = 0; but also 

a^O=>(Vp.a:p =p)- 

Note that w-algebra can only express Noethericity, whereas TSD can express both 
Noethericity and well-foundedness. 

9.3 Noethericity and the Lob Axiom 

We now investigate an alternative characterization of Noethericity for transitive 
relations that is even equational. Remember that an element of a semiring is 
transitive if aa < a. 

In modal logic, Noethericity of the underlying Kripke frame is characterized by 
Lob's axiom (cf. [BuU and Segerberg 1984; Chellas 1980]) 

□ (□p p) ^ Op. 

For our purposes, the equivalent version Op — > O(pA^Op) is more convenient, since 
it can immediately be translated into KAD, using preimage operators resulting in 

a:p<a:{p — a:p). (76) 

Here we have transcribed Op into a : p, where a is a Kleene element that represents 
the underlying Kripke frame, and p — q stands for pq' . 

We say that a is Lobian if it satisfies (76). In the relational model. Lob's axiom 
states that a is transitive and that there are no infinite a-chains. Note the similarity 
to (63). 

We will now relate Lob's axiom and our notion of Noethericity. But first we need 
a technical lemma. 

Lemma 9.3. Let A e KAD. Let a e A and p,q £ test(^). 

(i) a:p- a:q <a:{p- q), 
(a) a^ -.p ~ a :{p + :p). 

Proof, (i) a:p = a:{p{q + q')) ^ a:{pq) + a:{pq') < a:q + a:{pq'). The result 
then follows from the definition of subtraction. 

(ii) Immediate from Lemma 7.2 and the definition of a+. □ 

The following theorem is essentially due to Goldblatt [Goldblatt 1985]. 
Theorem 9.4. Let A e KAD and let a e A. 
(i) a is Noetherian if it is Lobian. 



Kleene Algebra with Domain • 35 



(ii) If a is Noetherian then for all p G test(j4), 

a:p<a^:{p — a:p). (77) 

(Hi) a is Lobian if it is Noetherian and transitive. 

Proof, (i) Let p < a:p. Thus equivalently p — a:p < hy Boolean algebra. 
Using (76) we calculate 

p < a : p < a :{p — a : p) < a :0 = 0. 

(ii) First, observe that (77) is equivalent to a:p — — a :p) < 0. Thus by 
Noethericity of a it suffices to show that 

a:p — :{p — a:p) < a -.{a : p — a'^ -.{p — a :p)). 

We calculate 

a : p — a'^ :{p — a : p) ^ a : p — a -.{{p — a : p) + :{p — a : p)) 
<a:{p- {{p -a:p) + a+ :(p- a:p))) 
= a:((p - {p -a:p)) - a+ -.{p -a:p)) 
< a :{a : p — -.{p — a : p)) . 

The first and second step use Lemma 9.3 (ii) and (i). The third step uses 
p — {q + r) = {p — q)—r, which holds in Boolean algebra. The fourth step uses 
p — {p — q) = pq < q, which holds again in Boolean algebra, and monotonicity. 

(iii) For transitive a we have a = a+ as the following instantiation of (*-4) shows: 

aa* < a <== a + aa < a. 

Now the claim is immediate from (ii). □ 

The statement of Theorem 9.4 is closely related to the correspondence theory of 
modal logic. In this view, our property of Noethericity expresses a frame property, 
which is part of semantics, whereas our Lob axiom stands for a modal formula, 
which is part of syntax. In KAD we arc able to express syntax and semantics in 
the same formalism. Moreover, while the traditional proof of the correspondence 
uses an (informal) semantic argument, our proof is entirely calculational. Further 
investigations of Noethericity in the context of KAD are outside the scope of the 
present paper. 

10. RECONSTRUCTING HOARE LOGIC 

In this section we consider another application of KAD; an algebraic representa- 
tion of propositional Hoare logic. Establishing this kind of subsumption relation is 
a popular exercise for many logics and algebras for imperative programming lan- 
guages. Hoare logic has, for instance, already been embedded into PDL [Fischer 
and Ladner 1979] and KAT [Kozen 2001]. Since KAD is an extension of KAT, our 
subsumption result is no surprise. However we believe that it is interesting for at 
least two reasons. First, in KAD, an encoding of the inference rules of the Hoare cal- 
culus is much more crisp and clear and so arc their correctness proofs. Second, the 
properties of the standard partial correctness semantics [Loeckx and Sieber 1987; 
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Apt and Olderog 1997] for Hoare fogic mirror precisely those of domain, so that 
KAD may be considered a natural abstract algebraic semantics for propositional 
Hoare logic. A point that takes KAD strictly beyond KAT in this context is the 
possibility to express the weakest precondition operator as 

wlp{a,p) = {a -.p')'. 

However, to keep matters short, we stay with Hoare logic in this text and refer to 
[MoUer and Struth 2003b] for a fuh account of wlp in KAD. 
We start by encoding the relevant programming constructs in KA. 

a;b = ab, (78) 
if p then a else b = pa + p'b, (79) 
while p do a = {pa)*p' . (80) 

We now briefly recall the syntax and semantics of Hoare logic. The basic formulas 
are partial correctness assertions of the form {p} a {q}, where p and q (the pre- 
condition and postcondition) denote Boolean expressions and a denotes a program. 
Intuitively, p models a property of the input states of a program, while q models a 
property that is intended to hold at the output states. The program a is intuitively 
interpreted as a relation between input and output states. Traditionally, the Hoare 
calculus uses the following inference rules for reasoning about programs. 

Assignment {p[e/x]} x := e {p} 

{p}a{q} {q}b{r} 



Composition 
Conditional 
While 
Weakening 



{p} a;b {r} 
{pAq} a {?'} {p' Aq} b {r} 



{q} if p then a else b {r} 
{pAq} a {q} 



{q} while p do a {p' A q} 

Pi ^ P {p} a {q} q-> qi 



{Pi} a {qi} 



Assignment is a non-propositional inference rule that deals with the internal struc- 
ture of states. It is therefore disregarded in this embedding. Following [Kozen 
2001], we call the fragment of Hoare logic without assignments propositional Hoare 
logic (PHL). Following [Kozen 2001] further, we define partial correctness assertions 
in KAT by 

{p} a {q} 4^ paq' < 0. 
Using the dual of (52), we can rewrite this definition more directly as 



{p} a {q} <^ P-a < q- 



(81) 
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Accordingly, the inference rules of PHL can be encoded as 

Composition p:a<qAq:b<r^p :{ab) < r, 

Conditional {pq) :a<rA (p'q) :b < r ^ q -.{pa + p'b) < r, 

While {pq) '.a < q ^ q:{{pa)*p') < p'q, 

Weakening pi <pAp: a<qAq<qi ^ pi'.a < qi. 

Theorem 10.1. The encoded rules of PV\\- are derivable in KIKP . Therefore PHV. 
is sound with respect to this algebraic semantics. 

Proof, (i) (Composition) 

p : {ab) < {p : a) : b < q : b < r. 

The first step uses (33), the second one the assumption and monotonicity. 

(ii) (Conditional) 

q : {pa + p'b) ~ {pq) : a + {p'q) :b < r + r = r. 

(iii) (While) 

{pq) ■.a<q:=> q:{pa)* <q^ {q:{pa)*)p' < qp' q:{{pa)*p') < p'q. 

The first step uses commutativity of tests and (61). The third step uses again 
import/export. 

(iv) (Weakening) 

Pi ■ a < p : a < q < qi. 

Soundness of PHL means in our context that for every partial correctness 
assertion that can be proved in this calculus there is a calculation in KAD 
using translated statements. This follows by induction on the structure of 
proofs in PHL and our previous considerations. □ 

□ 

Thus, given our domain calculus from the previous sections, soundness of PHL can 
be proved literally in four lines. Compared to the KAT-based approach in [Kozen 
2001], we believe that our encodings and proofs in KAD are more concise and intu- 
itive. Compared to standard set-theoretic proofs in textbooks (c.f [Apt and Olderog 
1997; Loeckx and Sieber 1987]), our proof is about ten times shorter, without tak- 
ing into account the fact that many logical and set-theoretic assumptions are left 
implicit in the textbook proofs and the proofs there are only semi-formal. 

Moreover, it has already been observed in [Kozen 2001] that all Horn clauses 
built from partial correctness assertions in Hoare logic that are valid with respect 
to the standard semantics are derivable in KAT. This result holds a fortiori for 
KAD. PHL is too weak to derive all such formulas [Kozen 2001]. 

It should be noted that Hoare logic is an example where the domain operator 
can be completely eliminated from all expressions using (gla). Even more, all 
inference rules of Hoare logic can be translated into Horn clauses in KAT, where all 
antecedents arc of the form p ~ 0. A technique for hypothesis elimination [Cohen 
1994; Kozen 2001; Kozen and Smith 1996] yields decidability of this fragment. 
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A further investigation of PHL in KAP, notably a fully algebraie completeness 
proof, can be found in [MoUer and Struth 2003b]. As a conclusion, we can only 
support [Kozen 2001] that given Kleene algebra, the specialized syntax and deductive 
apparatus of Hoare logic are inessential and can be replaced by simple equational 
reasoning. We also believe that KAD offers even further advantages. It allows us 
to combine the intuitiveness and readability of specifications in Hoare logic and 
imperative program semantics with the computational power of KAT. And finally, 
Kleene algebra offers an elegant formal calculus and a simple algebraic semantics 
for reasoning in and about Hoare logic. 

11. CONCLUSION AND FURTHER WORK 

We have presented equational axioms for domain and codomain for certain idem- 
potent semirings and extended these notions to KAD. This algebraic abstraction 
is intended as a unified view on approaches to program analysis and development 
as different as PDL, KAT, B and Z. We have outlined a calculus for KAD, defined 
preimage and image operators and presented two applications of KAD: an algebraic 
reconstruction of the notions of Noethericity and the subsumption of prepositional 
Hoare logic. These and most of the other results in this text provide the foundations 
and introduce the basic calculus of KAD. They are the basis for further interesting 
work. 

On the theoretical side, expressiveness, complexity, completeness or representabil- 
ity of KAD have not been investigated in this text. The same holds for the apparent 
relation to modal algebras and in particular algebraic variants of PDL (cf. e.g. [Ehm 
et al. 2003]). 

On the practical side, it might be interesting to continue our investigations of 
termination analysis and greedy algorithms [MoUer and Struth 2003a]. Moreover, 
a combination of the two methods for total correctness reasoning seems promising. 
First steps in this direction with a related Kleene algebra have already been taken 
in [von Wright 2002]. In general, the flexibility and naturalness of KAD seems very 
promising for the specification and analysis of state transition systems. As often 
with Kleene algebra, KAD might offer an abstract, simple, elegant, uniform calculus 
where different specialized formalisms and complicated reasoning had to be used 
before. 
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